Tuesday, January 11, 2011

AuthenticationNotSupportedException: DIGEST-MD5 on WebSphere

So guess what happened?

Running some simple authentication code from WebSphere failed on me. Here's the auth code...

private InitialDirContext callDirectory(String password,
String usernameWithoutDomain) throws NamingException
{
InitialDirContext ctx;
Hashtable env = new Hashtable();

env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL, _ldapUrl );
env.put(Context.SECURITY_AUTHENTICATION, "DIGEST-MD5");
env.put(Context.SECURITY_PRINCIPAL, usernameWithoutDomain );
env.put(Context.SECURITY_CREDENTIALS, password);
ctx = new InitialDirContext(env);
return ctx;
}

And here's what WebSphere told me when it exploded.

javax.naming.AuthenticationNotSupportedException: DIGEST-MD5
at com.sun.jndi.ldap.sasl.LdapSasl.saslBind(LdapSasl.java:115)
at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:229)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2652)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:298)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:190)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:208)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:151)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:81)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:679)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:259)
at javax.naming.InitialContext.init(InitialContext.java:235)
at javax.naming.InitialContext.(InitialContext.java:209)
at security.ActiveDirectoryReader.openDirectoryContext(ActiveDirectoryReader.java:80)


The fix?
Took a while, but IBM support found that a setting in java.security which should have been set by default, was not set by default.

security.provider.7=com.ibm.security.sasl.IBMSASL

The number 7 above is the order that this property appears in the java.security file. This may be different in your java.security file.

Weird that it was off by default and should have been on. It was a big relief to find that it was merely a configuration change.
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)